ISO 27001:2022 Clause 4.2 Understanding the needs and expectations of interested parties

ISO 27001:2022 17 Minutes

ISO 27001:2022 Requirements

The organization shall determine:

  1. interested parties that are relevant to the information security management system;
  2. the relevant requirements of these interested parties;
  3. which of these requirements will be addressed through the information security management system.

Note: The requirements of interested parties can include legal and regulatory requirements and contractual obligations.

The organization shall determine interested parties that are relevant to the information security management system.

Identifying and understanding the interested parties relevant to the Information Security Management System (ISMS) is a crucial step in establishing an effective and comprehensive security framework. Interested parties are individuals or groups that can affect, be affected by, or perceive themselves to be affected by the organization’s decisions or activities related to information security. ISO/IEC 27001, the international standard for information security management, emphasizes the importance of considering interested parties in the context of an ISMS. The standard requires organizations to establish a process for identifying these interested parties and determining their relevant requirements. Here’s a brief overview of the steps involved:

  1. Identify Interested Parties: Make a list of individuals, groups, or entities that have an interest in the information security of the organization. This can include employees, customers, suppliers, regulators, shareholders, and other stakeholders.
  2. Determine Relevant Requirements: Understand the expectations and requirements of each identified interested party concerning information security. This involves analyzing their needs, concerns, and any legal or regulatory obligations that may apply.
  3. Assess the Impact: Evaluate the potential impact of the interested parties on the organization’s information security objectives. Consider how their expectations and requirements may influence the ISMS.
  4. Prioritize and Document: Prioritize the interested parties based on the significance of their impact. Document the identified interested parties and their relevant requirements in the context of the ISMS.
  5. Incorporate into the ISMS: Integrate the identified interested parties and their requirements into the development, implementation, and maintenance of the ISMS. This ensures that the security controls and processes address the needs and expectations of these stakeholders.
  6. Monitor and Review: Regularly review and update the list of interested parties and their requirements. As the organizational context changes, new stakeholders may emerge, and their expectations may evolve.

By actively considering and addressing the concerns of interested parties, organizations can enhance the effectiveness and acceptance of their ISMS. This approach aligns with the broader principles of stakeholder engagement and demonstrates a commitment to managing information security in a holistic and inclusive manner.

 An interested party is a stakeholder – someone, a group or an entity with an interest in your ISMS (or perhaps the organisation itself). You should be able to easily identify many of your interested parties after having completed the internal and external issues that impact the intended outcomes of the information security management system. These will include staff, suppliers, customers, shareholders, directors, prospects, board members, competitors, legislators and regulators, unions etc. Interested parties are not always the obvious ones too – for example hackers and related malicious parties might need consideration, as do the media and others depending on the nature of your business and the issues facing it. However rather than creating a range of one size fits all policies and controls for all your interested parties, it is better to look at those interested parties in terms of their power, interest and support – in simple terms this is about their ability to affect your approach to the ISMS. Then you can develop suitable approaches to demonstrate you have their needs covered . As an example if you had a customer that demands you invest in ISO 27001 and build an independently certified ISO 27001 ISMS would you do that if they were a very small non-influential player? You’d probably think again if that customer was one of many you wanted to win, or a large powerful player in its own right. If a stakeholder is high power and low interest, you should be thinking of that individual or group as a ‘keep satisfied’ stakeholder. Ask yourself, what will you do in your ISMS with policies and controls to keep them satisfied? In this high power and low interest area, you might see organisations like legislators and regulators, very powerful customer groups, shareholders etc. There may also be external auditors and other industry bodies who can affect your business success. Their interest is quite low on a day to day basis, but their power to affect your business goals is high so they need to be kept satisfied – usually from a distance and having an independently certified ISO 27001 certificate goes some way to addressing their needs. The very powerful interested parties for information assurance such as regulators may also prescribe specific ways of working. If an interested party has both high interest and high power, we would call them a key player. These stakeholders should be actively involved. Your senior management team, key department heads, boutique critical suppliers etc. will likely fall into this category. You might actually have some of your intimately engaged important customers in this category. They may be very interested in how you are working day to day as it also impacts them too. It is easy to create long lists of stakeholders to consider but be wary of spending too long on the ones with lower power. Those with lower power and higher interest are in need of keeping informed but may not need to be consulted on what your ISMS covers – you may just need to tell them otherwise they could be a big suck on your time and investment budget! Also, be careful about simply dumping stakeholders you don’t like in the lower power buckets – we saw this happen in one firm. They paid for it later because the stakeholder was actually quite powerful and delayed them achieving their goals because their requirements were not prioritized. Combining this interested parties and stakeholder work with the internal and external issues you have identified in 4.1 helps lead towards a better understanding of where threats and opportunities might stem from in your information security management system.

Steps to identify interested parties relevant to the information security management system

Identifying interested parties relevant to the Information Security Management System (ISMS) involves a systematic process to recognize individuals, groups, or entities that may have an impact on or be impacted by the organization’s information security. Here’s a step-by-step guide to help you identify these stakeholders:

  1. Establish a Team: Form a cross-functional team that includes representatives from various departments within the organization. This team will bring diverse perspectives to the identification process.
  2. Review Documentation: Examine existing documentation, such as organizational charts, contracts, policies, and procedures, to identify parties that may have a stake in the information security of the organization.
  3. Conduct Stakeholder Workshops: Facilitate workshops or interviews with key stakeholders, both internal and external, to gather insights into their expectations, concerns, and requirements related to information security.
  4. Use Surveys and Questionnaires: Develop surveys or questionnaires to collect input from a broader set of stakeholders. This method can help reach individuals who may not be easily accessible for in-person interviews.
  5. Review Legal and Regulatory Requirements: Identify relevant legal and regulatory requirements pertaining to information security. This can include data protection laws, industry standards, and contractual obligations that may specify security expectations.
  6. Examine Industry Best Practices: Research industry best practices and standards related to information security. This can provide insights into common expectations from stakeholders within your specific sector.
  7. Consider Internal Departments: Look within your organization to identify internal departments and teams that may have a vested interest in information security. This includes IT, legal, compliance, human resources, and executive leadership.
  8. Review Incident History: Analyze past incidents related to information security to identify parties that may have been affected or played a role in addressing the incidents. This can provide valuable insights into areas of concern.
  9. Assess Suppliers and Partners: Consider external entities such as suppliers, partners, and contractors that may have access to your organization’s information. Assess their potential impact on your information security.
  10. Evaluate Customer Feedback: Review customer feedback, complaints, and inquiries to identify any security-related concerns or expectations. Customer perceptions can be crucial in understanding the business impact of information security.
  11. Engage with Industry Forums: Participate in industry forums, conferences, and networking events to understand the broader ecosystem and identify stakeholders with common interests in information security.
  12. Regularly Update the Stakeholder Register: Maintain a stakeholder register that includes information on identified stakeholders, their roles, interests, and requirements. Regularly update this register to reflect changes in the organization’s context.

By employing a comprehensive approach that involves multiple sources of information, you can create a thorough understanding of the interested parties relevant to your ISMS. This understanding will be valuable in shaping your information security policies, procedures, and controls to meet the expectations and requirements of these stakeholders.

Examples of Stakeholder analysis

Stakeholder: Executive Leadership Team

  • Interest:
    • High interest in the overall effectiveness of the ISMS.
    • Concerned about the protection of sensitive business information and the potential impact of security incidents on the organization’s reputation.
  • Influence:
    • High influence in setting organizational priorities and allocating resources for information security.
    • Decision-makers for strategic initiatives related to information security.
  • Expectations:
    • Regular updates on the status of the ISMS.
    • Assurance of compliance with relevant laws and regulations.
    • Demonstrable value of information security investments.

Stakeholder: IT Department

  • Interest:
    • High interest in the technical aspects of information security, including network security, system integrity, and data protection.
    • Concerned about vulnerabilities, threats, and incidents that may affect IT infrastructure.
  • Influence:
    • Directly involved in implementing and maintaining technical controls for information security.
    • Key role in incident response and recovery.
  • Expectations:
    • Collaboration with other departments for a holistic approach to information security.
    • Timely communication of security incidents and vulnerabilities.
    • Participation in the design and review of security controls.

Stakeholder: Employees

  • Interest:
    • Varied interest, ranging from concern about the security of personal information to understanding how security measures impact daily tasks.
    • Employees are often the first line of defense against social engineering and insider threats.
  • Influence:
    • Indirect influence through adherence to security policies and practices.
    • May identify security concerns and report incidents.
  • Expectations:
    • Clear and accessible information security policies.
    • Regular training on security best practices.
    • User-friendly security measures that do not overly disrupt workflow.

Stakeholder: Customers

  • Interest:
    • Concerned about the security of their personal and financial information.
    • Trust in the organization’s ability to protect sensitive data.
  • Influence:
    • Can influence the organization’s reputation and success through their perception of the security measures in place.
  • Expectations:
    • Transparent communication about data protection measures.
    • Assurance of compliance with industry standards.
    • Swift notification in the event of a data breach.

Stakeholder: Regulatory Bodies

  • Interest:
    • High interest in ensuring organizations comply with relevant laws and regulations.
    • Concerned about the protection of sensitive information, especially personal and financial data.
  • Influence:
    • Can enforce legal consequences for non-compliance.
    • May set standards and guidelines for information security.
  • Expectations:
    • Evidence of compliance with specific regulations (e.g., GDPR, HIPAA).
    • Cooperation during regulatory audits and investigations.

Stakeholder: Business Partners and Suppliers

  • Interest:
    • Concerned about the security of shared information and potential risks associated with the organization’s information security practices.
  • Influence:
    • May impose contractual obligations related to information security.
    • Could impact business relationships based on the perceived security posture.
  • Expectations:
    • Evidence of compliance with security standards.
    • Collaboration on security assessments and audits.
    • Communication about security incidents that may impact shared data.

Stakeholder: Internal Audit and Compliance Teams

  • Interest:
    • High interest in ensuring that information security controls meet internal policies and external regulatory requirements.
  • Influence:
    • Conduct audits to assess the effectiveness of information security controls.
    • Provide recommendations for improvement.
  • Expectations:
    • Regular updates on the status of information security compliance.
    • Cooperation during audits and implementation of audit recommendations.

Stakeholder: Legal Team

  • Interest:
    • Concerned about legal implications related to information security incidents and breaches.
  • Influence:
    • Involved in the review and creation of contracts with a focus on information security clauses.
    • May provide legal advice on compliance matters.
  • Expectations:
    • Clear documentation of information security measures for legal purposes.
    • Collaboration during the development of contracts with security implications.

The organization shall determine the relevant requirements of these interested parties.

Determining the relevant requirements of interested parties is a critical step in establishing an effective Information Security Management System (ISMS). Once you’ve identified the interested parties, you need to understand their expectations and requirements related to information security. Here’s a guide on how to determine and document these relevant requirements:

  1. Communicate with Stakeholders: Engage in open communication with the identified interested parties. This can be through surveys, interviews, meetings, or other forms of direct interaction. Seek to understand their concerns, expectations, and specific requirements related to information security.
  2. Review Legal and Regulatory Documentation: Examine relevant laws, regulations, and contractual agreements that apply to your organization. Identify information security requirements outlined in these documents, as non-compliance may have legal consequences.
  3. Refer to Industry Standards and Best Practices: Research industry-specific standards and best practices for information security. These may provide guidance on the expectations of stakeholders within your sector and help you establish a baseline for compliance.
  4. Evaluate Internal Policies and Procedures: Review your organization’s internal policies and procedures related to information security. Ensure that they align with the expectations of the identified stakeholders. Identify any gaps that need to be addressed.
  5. Assess Risk and Impact: Evaluate the potential risks and impacts associated with each interested party’s requirements. This assessment helps prioritize and tailor your information security controls to address the most critical concerns.
  6. Consider Customer Feedback: Analyze customer feedback and inquiries related to information security. Understand their expectations and concerns, as these are key components of meeting customer requirements.
  7. Collaborate with Internal Departments: Work closely with internal departments, such as IT, legal, compliance, and human resources, to understand their specific requirements related to information security. Ensure that these requirements are integrated into the ISMS.
  8. Assess Supplier and Partner Requirements: Evaluate the requirements of suppliers, partners, and other external entities that have access to your organization’s information. Incorporate these requirements into your ISMS to manage third-party risks.
  9. Document Requirements Clearly: Clearly document the identified requirements in a structured manner. This documentation should specify the expectations of each interested party and how the organization intends to address them.
  10. Prioritize Requirements: Prioritize the identified requirements based on their importance and impact on the organization’s information security. This prioritization will guide the allocation of resources and efforts.
  11. Update the ISMS Documentation: Ensure that the requirements of interested parties are reflected in the documentation of your ISMS. This includes policies, procedures, risk assessments, and other relevant documents.
  12. Establish a Review Mechanism: Implement a periodic review mechanism to keep the determination of relevant requirements up-to-date. Regularly revisit and reassess the needs and expectations of interested parties in the evolving business environment.

By systematically determining and documenting the relevant requirements of interested parties, your organization can tailor its information security measures to address specific concerns and expectations. This approach enhances the effectiveness of the ISMS and demonstrates a commitment to meeting the needs of stakeholders.

Some examples of requirements of interested parties relevant to ISMS

  1. Customers:
    • Confidentiality: Customers may expect that their personal and sensitive information is kept confidential and not disclosed to unauthorized parties.
    • Data Integrity: Customers may require assurance that their data is accurate, complete, and not subject to unauthorized alterations.
    • Availability: Customers may expect that the services and products they rely on are available without disruption.
  2. Regulatory Authorities:
    • Compliance: Regulatory bodies often have specific information security regulations that organizations must comply with. These may include data protection laws, industry-specific regulations, and cybersecurity standards.
    • Reporting: Regulatory authorities may require organizations to report security incidents and breaches within a specified timeframe.
  3. Employees:
    • Training: Employees may expect to receive regular training on information security awareness and best practices.
    • Access Control: Employees may have requirements related to access controls to ensure that they only have access to the information necessary for their roles.
    • Privacy: Employees may have privacy expectations related to the handling of their personal information.
  4. Business Partners and Suppliers:
    • Data Handling: Partners and suppliers may have requirements regarding how their data is handled, stored, and transmitted.
    • Compliance Verification: Business partners may request evidence of the organization’s compliance with relevant information security standards.
  5. Management and Leadership:
    • Risk Management: Leadership may expect the organization to implement effective risk management processes to identify, assess, and mitigate information security risks.
    • Performance Metrics: Leadership may require performance metrics and reporting on the effectiveness of the ISMS.
  6. IT Department:
    • Security Controls: The IT department may have specific requirements for implementing and maintaining technical security controls, such as firewalls, intrusion detection systems, and antivirus software.
    • Incident Response: Requirements related to incident response, including reporting procedures and mitigation strategies.
  7. Legal and Compliance Teams:
    • Contractual Obligations: Legal teams may have requirements related to the inclusion of specific clauses in contracts to address information security.
    • Legal Compliance: Ensure compliance with relevant laws and regulations to avoid legal consequences.
  8. Shareholders/Investors:
    • Risk Disclosure: Shareholders may require transparent disclosure of information security risks that could impact the organization’s financial performance.
    • Investment Protection: Assurance that information security measures are in place to protect the value of their investments.

The organization shall determine which of these requirements will be addressed through the information security management system

Once an organization has identified the requirements of various interested parties relevant to its Information Security Management System (ISMS), the next step is to determine how these requirements will be addressed within the ISMS. This involves a careful assessment and decision-making process to prioritize and incorporate the identified requirements into the organization’s information security framework. Here’s a guide on how to determine which requirements will be addressed through the ISMS:

  1. Prioritize Requirements: Evaluate the identified requirements based on their significance, potential impact, and criticality to the organization. Prioritize those requirements that align with the organization’s objectives and pose higher risks if not addressed.
  2. Align with ISMS Objectives: Ensure that the selected requirements align with the objectives and scope of the ISMS. The ISMS should be designed to meet the organization’s overall goals, and the selected requirements should contribute to achieving those objectives.
  3. Legal and Regulatory Compliance: Prioritize requirements that are necessary for legal and regulatory compliance. Ensure that the organization’s ISMS addresses these requirements to avoid legal consequences and regulatory non-compliance.
  4. Risk Assessment: Conduct a risk assessment to identify and prioritize requirements based on potential risks to information security. Addressing high-risk requirements is crucial to mitigating significant security threats.
  5. Resource Availability: Consider the resources available to the organization, including budget, personnel, and technology. Select requirements that can be feasibly addressed within the available resources.
  6. Stakeholder Impact: Assess the impact on key stakeholders and prioritize requirements that have a direct impact on customer satisfaction, employee well-being, and other critical stakeholders.
  7. Integration with Existing Processes: Ensure that the selected requirements can be seamlessly integrated into existing processes and procedures. Integration facilitates a smoother implementation of information security controls.
  8. Continuous Improvement: Consider the organization’s commitment to continuous improvement. Select requirements that can be monitored, measured, and improved over time to enhance the effectiveness of the ISMS.
  9. Documentation and Communication: Clearly document the selected requirements and the rationale for their inclusion in the ISMS. Communicate these decisions to relevant stakeholders, including employees, customers, and partners.
  10. Review and Update: Establish a regular review process to reassess the relevance and effectiveness of the selected requirements. Information security threats and organizational contexts evolve, so periodic reviews are essential for maintaining alignment.
  11. Alignment with Industry Standards: Ensure that the selected requirements align with industry standards and best practices for information security. This alignment can provide a solid foundation for the organization’s security measures.
  12. Demonstrate Compliance: Select requirements that can be effectively demonstrated and audited to showcase the organization’s compliance with information security standards and regulations.

By carefully considering these factors, an organization can make informed decisions on which requirements to prioritize and address through its ISMS. This ensures that the information security controls are tailored to meet the specific needs of the organization and its stakeholders.

Let’s take an example to illustrate how an organization might address specific requirements through its Information Security Management System (ISMS). Suppose one of the identified requirements is related to the confidentiality of customer data. Here’s how the organization could address this requirement through its ISMS:

  1. Requirement: Confidentiality of Customer DataSteps to Address through ISMS:
  2. a. Risk Assessment:
    • Conduct a risk assessment to identify potential threats and vulnerabilities to the confidentiality of customer data.
    b. Policy Development:
    • Develop an Information Security Policy that explicitly addresses the confidentiality of customer data. The policy should define the scope, responsibilities, and principles for safeguarding this information.
    c. Access Controls:
    • Implement access controls within the ISMS to restrict access to customer data only to authorized personnel. This may include role-based access, strong authentication, and encryption.
    d. Employee Training:
    • Integrate employee training programs within the ISMS to raise awareness about the importance of maintaining the confidentiality of customer data. This training could be part of the overall security awareness program.
    e. Data Classification:
    • Implement a data classification system within the ISMS to categorize information, including customer data, based on its sensitivity. Apply appropriate security controls based on the classification.
    f. Encryption:
    • Incorporate encryption mechanisms within the ISMS to protect customer data during storage, transmission, and processing. This could involve the use of encryption algorithms and protocols.
    g. Incident Response Plan:
    • Develop an incident response plan within the ISMS to address potential breaches of confidentiality. Define procedures for reporting and responding to incidents that may compromise customer data.
    h. Monitoring and Auditing:
    • Implement monitoring and auditing mechanisms within the ISMS to track access to customer data, detect anomalies, and ensure compliance with established security controls.
    i. Compliance Documentation:
    • Document the measures taken to ensure the confidentiality of customer data within the ISMS. This documentation may include policies, procedures, risk assessments, and audit reports.
    j. Regular Review and Improvement:
    • Establish a process for regularly reviewing the effectiveness of the measures implemented. Use feedback, audit results, and incident reports to continuously improve the ISMS and its ability to maintain the confidentiality of customer data.

This example illustrates how specific requirements, in this case, the confidentiality of customer data, can be systematically addressed through various components of an ISMS. The organization, in alignment with its overall information security objectives, implements a range of measures that are documented, monitored, and subject to continuous improvement. This approach helps the organization meet stakeholder expectations and regulatory requirements while fostering a robust security posture.

The requirements of interested parties can include legal and regulatory requirements and contractual obligations

legal and regulatory requirements, as well as contractual obligations, are often critical components of the requirements identified by interested parties in the context of an Information Security Management System (ISMS). Addressing these requirements is crucial for ensuring compliance, managing risks, and meeting the expectations of relevant stakeholders. Let’s delve into each of these:

  1. Legal and Regulatory Requirements:
    • Example: Suppose the organization operates in the European Union. In this case, compliance with the General Data Protection Regulation (GDPR) would be a legal requirement. The organization needs to ensure that its ISMS addresses GDPR principles related to the processing and protection of personal data.
    • Addressing through ISMS:
      • Implement controls and processes within the ISMS to ensure compliance with specific legal requirements.
      • Regularly monitor changes in relevant laws and regulations and update the ISMS accordingly.
      • Document compliance measures and maintain records for audit purposes.
  2. Contractual Obligations:
    • Example: The organization has contractual agreements with clients that specify certain security measures, such as encryption of sensitive data. These contractual obligations must be met to maintain trust and legal standing.
    • Addressing through ISMS:
      • Include a review of contractual obligations in the risk assessment process of the ISMS.
      • Develop specific policies and procedures within the ISMS to address contractual security requirements.
      • Establish a mechanism to communicate and coordinate with relevant departments to ensure adherence to contractual obligations.
  3. Compliance Verification:
    • Example: A business partner may require evidence of compliance with a specific security standard, such as ISO/IEC 27001. Providing this evidence is essential for maintaining a trusted relationship.
    • Addressing through ISMS:
      • Incorporate processes for verifying and documenting compliance with relevant standards within the ISMS.
      • Establish a communication mechanism to provide evidence of compliance to partners as needed.
  4. Data Protection Laws:
    • Example: A new data protection law is enacted in the region where the organization operates, imposing additional requirements on the handling of personal data.
    • Addressing through ISMS:
      • Regularly update policies and procedures within the ISMS to align with changes in data protection laws.
      • Conduct training sessions for employees to ensure awareness of new legal requirements.
  5. Industry-Specific Regulations:
    • Example: Organizations in the healthcare sector may be subject to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
    • Addressing through ISMS:
      • Develop and maintain controls within the ISMS that specifically address industry-specific regulations.
      • Conduct regular assessments to ensure ongoing compliance with industry regulations.
  6. Audit and Reporting Requirements:
    • Example: Regulatory bodies may require regular audits and reports on the organization’s information security practices.
    • Addressing through ISMS:
      • Establish processes within the ISMS to facilitate internal and external audits.
      • Develop reporting mechanisms to provide required information to regulatory bodies.

Addressing legal, regulatory, and contractual requirements within the ISMS ensures that the organization not only complies with applicable laws and agreements but also builds a robust and resilient information security framework that can adapt to changing requirements over time. This integration contributes to the overall effectiveness of the ISMS in managing information security risks and meeting the expectations of interested parties.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply